Drexel’s Data Failure

Remember back when George Washington University sent out that Welcome to GW! email to a whole bunch of students who hadn’t been admitted?

Well the dreadful screw-up that results from maintaining all databases online has happened again. Only this time it’s not just a bunch of emotional high school students who got a confusing message. This time the school released sensitive data about its real students.

On February 20 the Provost of Drexel University, Mark Greenberg, sent the following message to faculty and staff.

As you may have heard, there was a recent inadvertent public disclosure of certain Drexel student records. An e-mail sent by the University to 479 students was accidentally accompanied by an attachment containing a list of 5,379 students and their University ID number, major, and grade point average.

The University took several mitigating steps after this mistake including issuing a new University ID number to every affected student as well as attempting to delete the attachment from our internal systems. Regardless, the error is unacceptable, and this is an occasion for us to recommit to handling all student records entrusted to us with utmost care. It’s a matter of the privacy and safety of every member of the Drexel community.

Oh but wait. The school has a “plan” to fix this kind of problem. Drexel is “re-examining” its student records policies, but in the meantime it has some suggestions:

Be sure to use the minimum data necessary to complete a task. Don’t reuse or redistribute a file that contains data that isn’t needed.

Don’t store university data outside of the university’s protected data centers. Exceptions may be granted upon request to infosec-requests@drexel.edu.

Set up an approval process before the release of data. This can be as simple as a “second set of eyes” to review a message before sending it. .

Limit the number of copies of data that are made and the number of people with access to the data to the smallest number necessary to complete a task. Delete the data when it’s no longer needed.

Always double-check e-mail before sending it. Make sure it only contains content or attachments that you intend to share.

This is the advice to staff? This basically boils down to just “don’t screw up.” Be really careful not to screw up. Screwing up is bad.

That’s the sort of thing you say to your kid about how to use the stove; it’s not administrative procedure.

Admittedly, problems like this this are really fairly common in academia. It doesn’t technically indicate a structural problem exclusive to Drexel. It’s sort of inherent to the system. The more a school tries to manage everything online, the more problems like this will occur.

It’s up to universities to set their own priorities and determine how important things like security really are in terms of administrative time and expense. But if an institution really wants to make absolutely sure never to commit a massive breech like this, don’t put everything online in the same place.